Google Confirms Chrome Attack Warning—What You Do Now
New Chrome attacks confirmed
Do not click links in emails. Those warnings now turn up weekly, with email platforms failing to detect and block such threats. And this is now getting worse with the rise in AI-fueled attacks. But these attacks still rely on a casual click or tap. So it is with the latest threat that exploits a severe vulnerability in Chrome, and which has suddenly prompted Google to release an emergency update for all Windows users.
“Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild,” the company said in its advisory note on Tuesday. Chrome for Windows has now been updated to 134.0.6998.177/.178, which Google says “will roll out over the coming days/weeks.” You’ll get it much faster than that, and you can check for updates right away. Once it is downloaded, make sure you restart your browser to install the fix.
The new attacks were flagged by Kaspersky, which says it discovered the attacks earlier this month, describing this as a “wave of infections by previously unknown and highly sophisticated malware.” Once a victim clicked a link in a highly personalized email, Chrome opened and “infection occurred immediately.” Kaspersky warns that beyond clicking the link, “no further action was required to become infected.”
The researchers “analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a zero-day vulnerability affecting the latest version of Google Chrome. We then reported the vulnerability to the Google security team.” It’s that report that has driven this new update, as Google acknowledges in its release.
Kaspersky also says “this particular exploit is certainly one of the most interesting we’ve encountered,” admitting that it “really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”
The team worked out that “a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system” was to blame, which is why this attack and update is specific to Windows users only. Other details have been withheld until “the majority of users have installed the updated version of the browser that fixes it.”
Kaspersky says the objective of such attacks is likely espionage, “targeting media outlets, educational institutions and government organizations.” The focus appears to be Russian institutions, and its sophistication suggests nation-state associated group might be at work. “The exploit we discovered was designed to run in conjunction with an additional exploit that enables remote code execution. Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have required waiting for a new wave of attacks and exposing users to the risk of infection.”
Patching the exploit that has been fixed stops attacks, albeit the second exploit can now be repackaged for other attacks and so does need to be isolated and addressed. “All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack.”
The timing is awkward for Google, coming just days after Microsoft’s latest warning implying users would be safer switching from Chrome to Edge. Kudos to Google for rushing out a fix for this so quickly, now it’s over to users to do the rest.